Exception handling in cellular authentication

ABSTRACT

A cellular terminal transmits a request that requires authentication procedure triggering to a cellular network and responsively receives from the cellular network an authentication request message with an indication of a selected cryptographic algorithm from a group of a plurality of cryptographic algorithms. The cellular terminal attempts to decode the authentication request message to a decoded authentication request according to the selected cryptographic algorithm and based on a shared secret known by the cellular terminal and a network operator of the cellular terminal. The cellular terminal produces a determination whether the attempt was successful and the cellular terminal supports the selected cryptographic algorithm in authenticating to the cellular network; and in case the determination is positive, based on the decoded authentication request, the shared secret and the selected cryptographic algorithm, produces and encrypts an authentication response message and transmits the authentication response message to the cellular network; and in case the determination is not positive, produces and sends to the cellular network a failure report.

TECHNICAL FIELD

The present application generally relates to exception handling incellular authentication.

BACKGROUND

This section illustrates useful background information without admissionof any technique described herein representative of the state of theart.

Cellular networks or more accurately cellular telecommunicationsnetworks are ubiquitous in modern societies. To enable a cellularterminal to start communications over a cellular network, the cellularterminals need to attach or register to the network in a networkregistration process. In the network registration process, a cellularterminal exchanges signals to authenticate itself or more accurately itssubscription, typically using a USIM application on a UICC. In thenetwork registration process, the cellular terminal obtains from thenetwork and the SIM access information such as a session key with whichthe cellular terminal can subsequently communicate in the cellularnetwork. The access information typically changes to prevent re-use ofthe access information by a possible illegal interceptor.

Encryption is a basic tool that is employed also in other types ofdigital cellular systems. Already GSM used encryption to enablemitigating illegal interception. The development of computer technologyhas subsequently made old encryption techniques more vulnerable, butalso helped to enhance the security techniques used in cellular systems.For instance, wide-band CDMA (W-CDMA) was designed for stronger securityby enabling also the network to authenticate itself to the cellularterminals. In the W-CDMA, the subscriber identity is provided by aUniversal Integrated Circuit Card (UICC) that runs a UniversalSubscriber Identity Module (USIM). The USIM produces e.g. a session keybased on a shared secret stored on the UICC, challenge and replay attackprevention codes received from the network and cryptographic algorithmthat is enhanced over the one used in GSM. Also the authenticationsignaling is enhanced in the W-CDMA over GSM e.g. for protection againstsome man-in-the-middle attacks.

In parallel with the development of security methods for securing thecommunications in the cellular systems, there are also growing needs fordeveloping the structure of cellular terminals. At present, mostcellular terminals contain an identity module slot such as a SIM slot inwhich a user can place and replace an identity module card such as theUICC. There is also development towards identity modules that are notphysically replaceable so as to enable over-the-air change ofsubscription and/or to prevent theft of the identity module from acellular terminal. Such software identity modules may be very usefule.g. for built-in vehicular communication systems so that theiremergency reporting capabilities and possible burglar control systemscould not be easily deactivated by removing an identity module card.While the non-removability of embedded UICCs brings its advantages withrespect to theft protection or price, it has also its challenges. Onemajor challenge is the user of the machine that holds the identitymodule may wish to have another cellular operator. Today, the operatorwould issue a new card. This is not possible with embedded modules.Therefore, an operator is for the machine use cases not necessarily surewhat kind of module will be connected to its network and whatcapabilities it has. This will lead to error cases that we don't havetoday and which need to be solved to avoid that the module cannotconnect at all.

While necessary for security, the authentication signaling unfortunatelydelays completion of network registration procedures. Moreover, theinventors have now identified that in some particular combinations ofcellular terminal equipment, network configuration and encryptionauthentication protocols, a cellular terminal might engage into aperpetually failing loop so that its user could not establishtelecommunications connectivity at all.

SUMMARY

Various aspects of examples of the invention are set out in the claims.

According to a first example aspect of the present invention, there isprovided a method in a cellular terminal, comprising:

transmitting a request that requires authentication procedure triggeringto a cellular network and responsively receiving from the cellularnetwork an authentication request message with an indication of aselected cryptographic algorithm from a group of a plurality ofcryptographic algorithms;

attempting to decode the authentication request message to a decodedauthentication request according to the selected cryptographic algorithmand based on a shared secret known by the cellular terminal and anetwork operator of the cellular terminal;

producing a determination whether the attempt was successful and thecellular terminal supports the selected cryptographic algorithm inauthenticating to the cellular network; and

in case the determination is positive, based on the decodedauthentication request, the shared secret and the selected cryptographicalgorithm, producing and encrypting an authentication response messageand transmitting the authentication response message to the cellularnetwork; and

in case the determination is not positive, producing and sending to thecellular network a failure report.

The request that requires authentication procedure triggering may be anetwork registration request.

The request that requires authentication procedure triggering may be arouting area request.

The request that requires authentication procedure triggering may be atracking area update request.

The authentication request may be an authentication request of anevolved packet system architecture.

The authentication request message may be received from a mobilitymanagement entity. The authentication response message may betransmitted to the mobility management entity.

The cellular terminal may comprise a security entity. The securityentity may comprise a secure element and a subscriber identity moduleapplication. The cellular terminal may comprise user equipment. The userequipment may be configured to perform communications over radiointerface with a base station. The security entity may be configured todecode authentication requests and to produce authentication responses.The user equipment may be selected from a group consisting of: a mobileterminal; a laptop computer; a vehicle; a car; a car key; a portabledevice; a handheld electronic device; and a single or multifunctiondevice with cellular radio capability. The secure element may beremovable or embedded or integrated in an existing processorarchitecture (e.g. baseband circuitry, main processor, centralprocessing unit, and/or master control unit).

The cryptographic algorithms may be selected from a group consisting ofMILENAGE; 128 bit TUAK; and 256 bit TUAK. The TUAK may refer to analgorithm set that complies with 3GPP TS 35.231 v. 12.0.1. The TUAK maybe configured to employ AES cryptography. The TUAK may be based onKeccak permutation.

The authentication request message may be an extended authenticationrequest message. The extended authentication request may comprise amessage type indication that is configured to cause legacy terminals toneglect the extended authentication request message.

The extended authentication request may comprise a field configured toaccommodate a 256 bit authentication token, AUTN.

The authentication token may comprise 128 bits, 192 bits, 256 bits or320 bits. The authentication token may consist of 128 bits, 192 bits,256 bits or 320 bits. In case that the authentication token is more than256 bits, excess bits may be discarded.

The authentication token may comprise a sequence number, SQN. Thesequence number may consist of 48 bits.

The authentication token may comprise an anonymity key, AK. Theanonymity key may consist of 48 bits.

The authentication token may comprise an authentication managementfield, AMF. The authentication management field may consist of 16 bits.The authentication management field may comprise 7 spare bits. The sparebits may be used to indicate cryptography adaptation information. Thecryptography adaptation information may comprise lengths of differentcryptography parameters.

The authentication token may comprise a challenge, RAND. The challengemay consist of 128 bits.

The cellular authentication may employ a cipher key, OK. The cipher keymay consist of 64 bits, 128 bits or 256 bits.

The cellular authentication may employ an integrity key, IK. Theintegrity key may consist of 64 bits, 128 bits or 256 bits.

The cellular authentication may employ a response parameter, RES. Theresponse parameter may consist of 32 bits, 64 bits, 128 bits or 256bits.

The authentication request message may be an updated authenticationrequest. The updated authentication request may comprise an identifierfor indicating which cryptographic algorithm is being used for theauthentication. The identifier may be a new field in addition to thosein the normal authentication request. The normal authentication requestmay comply with 3GPP TS 24.301 and 3GPP TS 24.008. Alternatively, theidentifier may be contained in one or more bits of the authenticationmanagement field, AMF.

The authentication request message may comprise a protocoldiscriminator. The authentication request message may comprise asecurity header type. The authentication request message may comprise anon-access stratum key set identifier. The authentication requestmessage may comprise a spare half octet. The authentication requestmessage may comprise a challenge, RAND (e.g. evolved packet system, EPS,challenge). The authentication request message may comprise anauthentication token, AUTN. The authentication token may comprise anauthentication management field, AMF. The authentication managementfield may comprise a parameter indicating the length of TUAK to be used(e.g. 128 or 256 bit TUAK).

The message type may match with that of the normal authenticationrequest message. The updated authentication request may comprise a 256bit authentication token field. The updated authentication request maycomprise a 256 bit authentication token field only if a 256 bitauthentication token is being used. Otherwise, the updatedauthentication request may comprise a 128 bit authentication tokenfield.

The authentication response message may comprise a message typeindication. The message type indication may identify the authenticationresponse message as an extended authentication response message. Themessage type indication may match with that of a normal authenticationresponse message. The message type indication of the normalauthentication response message may comply with 3GPP TS 24.301.

The extended authentication response message may comprise a variablelength authentication response parameter, RES. The authenticationresponse parameter may have a length selected from a group consisting ofany one or more of: 32 bits, 64 bits, 128 bits or 256 bits.

The authentication response message may be provided with a newinformation element in comparison the normal authentication responsemessage. The new information element may be configured to accommodate a128 bit or a 256 bit authentication response parameter.

The authentication response message may comprise an extendedauthentication response parameter field that is configured toaccommodate a 128 bit or a 256 bit authentication response parameter.

The authentication response message may comprise a cryptographyalgorithm indication.

The failure report may comprise an authentication failure message. Thefailure report may consist of an authentication failure message. Theauthentication failure message may comprise any of: a protocoldiscriminator; a security header type; an authentication failure messagetype; an EPS mobility management, EMM, cause; and an authenticationfailure parameter.

The cellular terminal may be configured to detect an error in a messageauthenticator of the authentication requests, MAC-A. The cellularterminal may be configured to produce the failure report in a mannerdependent on the error that was likely to prevent successful decoding ofthe authentication request or the use of the selected cryptographicalgorithm.

The cellular terminal may be configured to contain in the failurereport, if the error was caused by incompatible length of MAC-A: anindication of the length of at least one of: the TUAK MAC-A used by thecellular terminal; and the TUAK MAC-A that the cellular terminal derivesas likely used by the cellular network in the authentication request.

The failure report may comprise a new information element for errorreporting. The error reporting may indicate a new EMM cause code. Theerror reporting may indicate an existing EMM code such as #20.

The cellular terminal may be configured to detect an error in anauthentication management field. The authentication management field maybe contained by the MAC-A.

The failure report may indicate any one or more of: the length of TUAKMAC-A used by the cellular terminal; the length of TUAK MAC-A thecellular terminal presumes network used; the length of TUAK integritykey used by the cellular terminal; the length of TUAK integrity key thecellular terminal presumes network used; the length of TUAK cipher keyused by the cellular terminal; the length of TUAK cipher key thecellular terminal presumes network used; the length of TUAKauthentication value (e.g. RES) used by the cellular terminal; thelength of TUAK authentication value (e.g. RES); the cellular terminalpresumes network used; the length of TUAK shared secret key used by thecellular terminal; and the length of TUAK shared secret key the cellularterminal presumes network used.

The cellular terminal may be configured to detect an error in are-synchronization token.

The failure report may contain an indication of the re-synchronizationtoken as computed by the cellular terminal.

The cellular terminal may be configured to detect that theauthentication request is configured to request the cellular terminal touse an authentication algorithm that is not supported by the cellularterminal.

The failure report may comprise any one or more of: an indicationauthentication algorithm or algorithms supported by the cellularterminal; and an indication of authentication algorithm or algorithmsrequested by the network as determined by the cellular terminal.

According to a second example aspect of the present invention, there isprovided a method in a cellular network, comprising:

receiving a request that requires authentication procedure triggeringand responsively transmitting an authentication request message with anindication of a selected cryptographic algorithm from a group of aplurality of cryptographic algorithms; and

receiving an authentication response message or a failure reportindicative of a failure of the cellular terminal to produce anauthentication response message corresponding to the authenticationrequest message.

The request that requires authentication procedure triggering may be anetwork registration request.

The request that requires authentication procedure triggering may be arouting area request.

The request that requires authentication procedure triggering may be atracking area update request.

The authentication request may be an authentication request of anevolved packet system architecture.

The authentication request message may be transmitted by a mobilitymanagement entity. The authentication failure report or theauthentication response message may be received by the mobilitymanagement entity.

The method may comprise adjusting cellular authentication process withthe cellular terminal in response to receiving the failure report. Themethod may comprise using a recovery mechanism to enable authenticationof a cellular terminal that fails to support an authentication processthat the cellular terminal should support.

According to a third example aspect of the present invention, there isprovided a process comprising the method of the first example aspect andthe method of the second example aspect.

According to a fourth example aspect of the present invention, there isprovided an apparatus comprising at least one memory and processor thatare collectively configured to cause the apparatus to perform the methodof the first example aspect.

According to a fifth example aspect of the present invention, there isprovided an apparatus comprising at least one memory and processor thatare collectively configured to cause the apparatus to perform the methodof the second example aspect.

According to a sixth example aspect of the present invention, there isprovided an apparatus comprising means for performing the method of thefirst example aspect.

According to a seventh example aspect of the present invention, there isprovided an apparatus comprising means for performing the method of thesecond example aspect.

According to an eighth example aspect of the present invention, there isprovided a system comprising the apparatus of the third or fifth exampleaspect and the apparatus of the fourth or sixth example embodiment.

According to a ninth example aspect of the present invention, there isprovided a computer program comprising computer executable program codeconfigured to execute the method of the first or second example aspect.

The computer program may be stored in a computer readable memory medium.

Any foregoing memory medium may comprise a digital data storage such asa data disc or diskette, optical storage, magnetic storage, holographicstorage, opto-magnetic storage, phase-change memory, resistive randomaccess memory, magnetic random access memory, solid-electrolyte memory,ferroelectric random access memory, organic memory or polymer memory.The memory medium may be formed into a device without other substantialfunctions than storing memory or it may be formed as part of a devicewith other functions, including but not limited to a memory of acomputer, a chip set, and a sub assembly of an electronic device.

Different non-binding example aspects and embodiments of the presentinvention have been illustrated in the foregoing. The embodiments in theforegoing are used merely to explain selected aspects or steps that maybe utilized in implementations of the present invention. Someembodiments may be presented only with reference to certain exampleaspects of the invention. It should be appreciated that correspondingembodiments may apply to other example aspects as well.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of example embodiments of the presentinvention, reference is now made to the following descriptions taken inconnection with the accompanying drawings in which:

FIG. 1 shows an architectural drawing of a system of an exampleembodiment;

FIG. 2 shows a flow chart of a process of an example embodiment;

FIG. 3 shows a block diagram of an apparatus of an example embodiment;

FIG. 4 shows a block diagram of an apparatus of an example embodiment;and

FIG. 5 shows a flow chart illustrating a method in a cellular terminal,according to an example embodiment.

DETAILED DESCRIPTION OF THE DRAWINGS

An example embodiment of the present invention and its potentialadvantages are understood by referring to FIGS. 1 through 4 of thedrawings. In this document, like reference signs denote like parts orsteps.

FIG. 1 an architectural drawing of a system of an example embodiment. Acellular terminal 100 is drawn with user equipment 110 and a secureelement containing a USIM 120. In an example embodiment, the USIM is anapplication on a software implemented security element. The systemfurther comprises a cellular telecommunication network 200 thatcomprises an E-UTRAN or eNB 210, a mobility management entity MME 220, ahome subscriber server, HSS 230 (e.g. home location register HLR,authentication center AuC), a serving gateway 240, a serving gatewaysupport node, SGSN 250, a Universal Terrestrial Radio Access Network,UTRAN 260 and a GSM EDGE Radio Access Network, GERAN 270.

FIG. 2 shows a flow chart of a process of an example embodiment. In step21, the cellular terminal 100 transmits a request that requiresauthentication procedure triggering to the cellular network 200. Forexample, the cellular terminal 100 sends a non-access stratum (NAS)attach request or network registration request to the MME 220 via theeNB 210. The MME 220 requests 22 authentication data (e.g. anauthentication quintet) from the HSS 230 and responsively receives 23 anauthentication data response with the requested authentication data. TheMME 220 then responds to the transmitting of the request that requiresauthentication so that the cellular terminal 100 receives from thecellular network an authentication request message with an indication ofa selected cryptographic algorithm from a group of a plurality ofcryptographic algorithms. For example, the MME 220 sends 24 an NASauthentication request to the terminal 100 that replies 25 with an NASauthentication response if the terminal 100 is capable of decoding theNAS authentication request and to produce the NAS authenticationresponse.

To this end, the terminal 100 has to support the authenticationalgorithm used by the MME and possess a shared secret that is known bythe HSS 230 and the terminal 100. If the terminal 100 fails to decodethe NAS authentication request, the terminal 100 replies 25′ with a NASauthentication failure.

In an example embodiment, the cellular terminal decodes theauthentication request message to a decoded authentication requestaccording to the selected cryptographic algorithm and based on a sharedsecret known by the cellular terminal and a network operator of thecellular terminal. Based on the decoded authentication request, theshared secret and the selected cryptographic algorithm, the cellularterminal 100 produces and encrypts an authentication response message inan example embodiment (e.g. for replying in step 25).

After successful decoding of the NAS authentication request and theresponsive NAS authentication response, the MME sends 26 to the terminal100 a NAS security mode completion message and the terminal 100 replies27 with a corresponding NAS security mode complete message. In anotherexample embodiment, either or both the NAS security mode completion andNAS security mode complete reply is/are omitted or substituted by one ormore other signals or messages.

According to an example embodiment, a failure report is produced andsent to the cellular network 200, if the decoding of the authenticationrequest message fails. Failure handling of an example embodiment isfurther described in the foregoing with reference to FIG. 5.

Various messages of FIG. 2 and their processing can be implemented in alarge variety of different ways.

In an example embodiment, the process of FIG. 2 starts from anotherrequest that requires authentication procedure triggering such as atracking area update request or a routing area request to the cellularnetwork 200 instead of the network registration request.

In an example embodiment, the authentication request message 24comprises an indication of a selected cryptographic algorithm from agroup of a plurality of cryptographic algorithms. In an exampleembodiment, the cryptographic algorithms are selected from a groupconsisting of MILENAGE; 128 bit TUAK; and 256 bit TUAK. The TUAK mayrefer to an algorithm set that complies with 3GPP TS 35.231 v. 12.0.1.The TUAK may be configured to employ AES cryptography. The TUAK may bebased on Keccak permutation.

In an example embodiment, the selected cryptographic algorithm employs acipher key, OK. The cipher key may consist of 64, 128 or 256 bits.

In an example embodiment, the selected cryptographic algorithm employsan integrity key, IK. The integrity key may consist of 64, 128 or 256bits.

In an example embodiment, the selected cryptographic algorithm employs aresponse parameter, RES. The response parameter may consist of 32, 64,128 or 256 bits.

In an example embodiment, the authentication request message 24 is anextended authentication request message. In an example embodiment, theextended authentication request comprises a message type indication thatis configured to cause legacy terminals to neglect the extendedauthentication request message.

In an example embodiment, the extended authentication request comprisesa field configured to accommodate a 256 bit authentication token, AUTN.

In an example embodiment, the authentication request message 24 is anupdated authentication request. In an example embodiment, the updatedauthentication request comprises an identifier for indicating whichcryptographic algorithm is being used for the authentication. In anexample embodiment, the identifier is a new field in addition to thosein the normal authentication request. In an example embodiment, thenormal authentication request complies with 3GPP TS 24.301 or 3GPP TS24.008. In an example embodiment, the identifier is contained in one ormore bits of the authentication management field, AMF.

In an example embodiment, the authentication request message 24comprises a protocol discriminator. In an example embodiment, theauthentication request message comprises a security header type. In anexample embodiment, the authentication request message comprises anon-access stratum key set identifier. In an example embodiment, theauthentication request message comprises a spare half octet. In anexample embodiment, the authentication request message comprises achallenge, RAND (e.g. evolved packet system, EPS, challenge). In anexample embodiment, the authentication request message comprises anauthentication token, AUTN. In an example embodiment, the authenticationtoken comprises an authentication management field, AMF. Theauthentication management field may comprise a parameter indicating thelength of TUAK to be used (e.g. 128 bit TUAK or 256 bit TUAK).

In an example embodiment, the message type of the updated authenticationrequest matches with that of the normal authentication request message.In an example embodiment, the updated authentication request comprises a256 bit authentication token field. The updated authentication requestmay comprise a 256 bit authentication token field only if a 256 bitauthentication token is being used. Otherwise, the updatedauthentication request may comprise a 128 bit authentication tokenfield.

In an example embodiment, the authentication token comprises 128 bits,192 bits, 256 bits or 320 bits. In an example embodiment, theauthentication token consists of 128 bits, 192 bits, 256 bits or 320bits. In case that the authentication token is more than 256 bits,excess bits may be discarded.

In an example embodiment, the authentication token comprises a sequencenumber, SQN. In an example embodiment, the sequence number consists of48 bits.

In an example embodiment, the authentication token comprises ananonymity key, AK. In an example embodiment, the anonymity key consistsof 48 bits.

In an example embodiment, the authentication token comprises anauthentication management field, AMF. In an example embodiment, theauthentication management field consists of 16 bits. In an exampleembodiment, the authentication management field comprises 7 spare bits.In an example embodiment, the spare bits are used to indicatecryptography adaptation information. In an example embodiment, thecryptography adaptation information comprises lengths of differentcryptography parameters.

In an example embodiment, the authentication token comprises achallenge, RAND. In an example embodiment, the challenge consists of 128bits.

In an example embodiment, the decoding the authentication requestmessage 24 to a decoded authentication request is performed according tothe selected cryptographic algorithm and based on a shared secret knownby the cellular terminal and a network operator of the cellularterminal.

In an example embodiment, the process comprises, based on the decodedauthentication request, the shared secret and the selected cryptographicalgorithm, producing and encrypting the authentication response message25.

In an example embodiment, the authentication response message 25comprises a message type indication. In an example embodiment, themessage type indication identifies the authentication response messageas an extended authentication response message. In an exampleembodiment, the message type indication matches with that of a normalauthentication response message. In an example embodiment, the messagetype indication of the normal authentication response message complieswith 3GPP TS 24.301.

In an example embodiment, the extended authentication response messagecomprises a variable length authentication response parameter, RES. Inan example embodiment, the authentication response parameter has alength selected from a group consisting of any one or more of: 32 bits,64 bits, 128 bits or 256 bits.

In an example embodiment, the authentication response message 25 isprovided with a new information element in comparison the normalauthentication response message. In an example embodiment, the newinformation element is configured to accommodate a 128 bit or a 256 bitauthentication response parameter.

In an example embodiment, the authentication response message 25comprises an extended authentication response parameter field that isconfigured to accommodate a 128 bit or a 256 bit authentication responseparameter.

In an example embodiment, the authentication response message 25comprises a cryptography algorithm indication.

FIG. 3 shows an example block diagram of an apparatus 300 according toan example embodiment. The apparatus 300 comprises a memory 320 thatcomprises a volatile memory 330 and a non-volatile memory 340 that isconfigured to store computer programs or software comprising computerprogram code 350. The apparatus 300 further comprises at least oneprocessor 310 for controlling the operation of the apparatus 300 usingthe computer program code 350 and an input/output system 360 forcommunicating with other entities or apparatuses. Accordingly, theinput/output system 360 comprises one or more communication units ormodules providing communication interfaces towards other entities and/orapparatuses. In an example embodiment, the processor 310 is configuredto run the program code 350 in the volatile memory 330. In an exampleembodiment, the apparatus 300 is configured to operate as the MME 220.

The processor 310 comprises, for example, any one or more of: a mastercontrol unit (MCU); a microprocessor; a digital signal processor (DSP);an application specific integrated circuit (ASIC); a field programmablegate array; and a microcontroller.

FIG. 4 shows an example block diagram of an apparatus 400 according toan example embodiment. The apparatus 400 comprises a memory 420 thatcomprises a volatile memory 430 and a non-volatile memory 440 that isconfigured to store computer programs or software comprising computerprogram code 450. The apparatus 400 further comprises at least oneprocessor 410 for controlling the operation of the apparatus 400 usingthe computer program code 450. The apparatus 400 further comprises aninput/output system 460 for communicating with other entities orapparatuses. Accordingly, the input/output system 460 comprises one ormore communication units or modules providing communication interfacestowards other entities and/or apparatuses. The apparatus 400 furthercomprises a secure element (SE) 470 secure element that contains one ormore network access applications such as SIM(s) or USIM(s). In anexample embodiment, the SE 470 is an application that is hosted by asecure element which is implemented as software. In another exampleembodiment, the secure element 470 comprises a universal integratedcircuit card, UICC. In an example embodiment, the processor 410 isconfigured to run the program code 450 in the volatile memory 430. In anexample embodiment, the apparatus 400 is configured to operate as thecellular terminal 100.

The processor 410 comprises, for example, any one or more of: a mastercontrol unit (MCU); a microprocessor; a digital signal processor (DSP);an application specific integrated circuit (ASIC); a field programmablegate array; and a microcontroller.

FIG. 5 shows a flow chart illustrating a method in a cellular terminal,according to an example embodiment, comprising:

transmitting 510 a request that requires authentication proceduretriggering to a cellular network and responsively receiving 520 from thecellular network an authentication request message with an indication ofa selected cryptographic algorithm from a group of a plurality ofcryptographic algorithms;

attempting to decode 530 the authentication request message to a decodedauthentication request according to the selected cryptographic algorithmand based on a shared secret known by the cellular terminal and anetwork operator of the cellular terminal;

producing a determination 540 whether the attempt was successful and thecellular terminal supports the selected cryptographic algorithm inauthenticating to the cellular network; and

in case the determination is positive, based on the decodedauthentication request, the shared secret and the selected cryptographicalgorithm, producing and encrypting an authentication response messageand transmitting the authentication response message to the cellularnetwork, 550; and

in case the determination is not positive, producing and sending to thecellular network a failure report, 560.

The failure report can be formed in a number of ways and in a variety ofdifferent forms. For example, in an example embodiment, the failurereport comprises and/or consists of authentication failure message. Inan example embodiment, the authentication failure message comprises anyof: a protocol discriminator; a security header type; an authenticationfailure message type; an EPS mobility management, EMM, cause; and anauthentication failure parameter.

In an example embodiment, the cellular terminal is configured to detectan error in a message authenticator of the authentication requests,MAC-A. In an example embodiment, the cellular terminal is configured toproduce the failure report in a manner dependent on the error that waslikely to prevent successful decoding of the authentication request orthe use of the selected cryptographic algorithm.

In an example embodiment, the cellular terminal is configured to containin the failure report, if the error was caused by incompatible length ofMAC-A: an indication of the length of at least one of: the TUAK MAC-Aused by the cellular terminal; and the TUAK MAC-A that the cellularterminal derives as likely used by the cellular network in theauthentication request.

In an example embodiment, the failure report comprises a new informationelement for error reporting. In an example embodiment, the errorreporting indicates a new EMM cause code. In an example embodiment, theerror reporting indicates an existing EMM code such as #20.

In an example embodiment, the cellular terminal is configured to detectan error in an authentication management field. In an exampleembodiment, the authentication management field is contained by theMAC-A.

In an example embodiment, the failure report indicates any one or moreof: the length of TUAK MAC-A used by the cellular terminal; the lengthof TUAK MAC-A the cellular terminal presumes network used; the length ofTUAK integrity key used by the cellular terminal; the length of TUAKintegrity key the cellular terminal presumes network used; the length ofTUAK cipher key used by the cellular terminal; the length of TUAK cipherkey the cellular terminal presumes network used; the length of TUAKauthentication value (e.g. RES) used by the cellular terminal; thelength of TUAK authentication value (e.g. RES); the cellular terminalpresumes network used; the length of TUAK shared secret key used by thecellular terminal; and the length of TUAK shared secret key the cellularterminal presumes network used.

In an example embodiment, the cellular terminal is configured to detectan error in a re-synchronization token.

In an example embodiment, the failure report contains an indication ofthe re-synchronization token as computed by the cellular terminal.

In an example embodiment, the cellular terminal is configured to detectthat the authentication request is configured to request the cellularterminal to use an authentication algorithm that is not supported by thecellular terminal.

In an example embodiment, the failure report comprises any one or moreof: an indication authentication algorithm or algorithms supported bythe cellular terminal; and an indication of authentication algorithm oralgorithms requested by the network as determined by the cellularterminal.

Without in any way limiting the scope, interpretation, or application ofthe claims appearing below, a technical effect of one or more of theexample embodiments disclosed herein is that reasons for authenticationfailures may be identified to the cellular network for suitable actiontherein. Another technical effect of one or more of the exampleembodiments disclosed herein is that cellular networks may testdifferent authentication algorithms and/or parameters and learn fromfailure reports the capabilities of cellular terminals. Anothertechnical effect of one or more of the example embodiments disclosedherein is problems caused for cellular terminals by using two or moredifferent authentication procedures may be identified and addressed bythe cellular network.

Embodiments of the present invention may be implemented in software,hardware, application logic or a combination of software, hardware andapplication logic. In the context of this document, a “computer-readablemedium” may be any non-transitory media or means that can contain,store, communicate, propagate or transport the instructions for use byor in connection with an instruction execution system, apparatus, ordevice, such as a computer, with one example of a computer described anddepicted in FIG. 3 or 4. A computer-readable medium may comprise acomputer-readable storage medium that may be any media or means that cancontain or store the instructions for use by or in connection with aninstruction execution system, apparatus, or device, such as a computer.

If desired, the different functions discussed herein may be performed ina different order and/or concurrently with each other. Furthermore, ifdesired, one or more of the before-described functions may be optionalor may be combined.

Although various aspects of the invention are set out in the independentclaims, other aspects of the invention comprise other combinations offeatures from the described embodiments and/or the dependent claims withthe features of the independent claims, and not solely the combinationsexplicitly set out in the claims.

It is also noted herein that while the foregoing describes exampleembodiments of the invention, these descriptions should not be viewed ina limiting sense. Rather, there are several variations and modificationswhich may be made without departing from the scope of the presentinvention as defined in the appended claims.

1-34. (canceled)
 35. A method in a cellular terminal, comprising:transmitting a request that requires authentication procedure triggeringto a cellular network and responsively receiving from the cellularnetwork an authentication request message with an indication of aselected cryptographic algorithm from a group of a plurality ofcryptographic algorithms; attempting to decode the authenticationrequest message to a decoded authentication request according to theselected cryptographic algorithm and based on a shared secret known bythe cellular terminal and a network operator of the cellular terminal;producing a determination whether the attempt was successful and thecellular terminal supports the selected cryptographic algorithm inauthenticating to the cellular network; and in case the determination ispositive, based on the decoded authentication request, the shared secretand the selected cryptographic algorithm, producing and encrypting anauthentication response message and transmitting the authenticationresponse message to the cellular network; and in case the determinationis not positive, producing and sending to the cellular network a failurereport.
 36. The method of claim 35, wherein the request that requiresauthentication procedure triggering is selected from a group consistingof: a network registration request; a routing area request; and atracking area update request.
 37. The method of claim 35, wherein theauthentication request is an authentication request of an evolved packetsystem architecture.
 38. The method of claim 35, wherein theauthentication request message is received from a mobility managemententity.
 39. The method of claim 35, wherein the authentication responsemessage is transmitted to the mobility management entity.
 40. The methodof claim 35, wherein the cellular terminal comprises a security entitythat comprises a secure element and a subscriber identity moduleapplication.
 41. The method of claim 40, wherein the security entity isconfigured to decode authentication requests and to produceauthentication responses.
 42. The method of claim 35, wherein thecryptographic algorithms are selected from a group consisting ofMILENAGE; 128 bit TUAK; and 256 bit TUAK.
 43. The method of claim 35,wherein the failure report comprises an authentication failure message.44. The method of claim 35, wherein the authentication failure messagecomprises any of: a protocol discriminator; a security header type; anauthentication failure message type; an EPS mobility management, EMM,cause; and an authentication failure parameter.
 45. The method of claim35, wherein the cellular terminal is configured to produce the failurereport in a manner dependent on the error that was likely to preventsuccessful decoding of the authentication request or the use of theselected cryptographic algorithm.
 46. The method of claim 35, whereinthe cellular terminal is configured to detect an error in a messageauthenticator of the authentication requests, MAC-A.
 47. The method ofclaim 46, wherein the cellular terminal is configured to contain in thefailure report, if the error was caused by incompatible length of MAC-A:an indication of the length of at least one of: the TUAK MAC-A used bythe cellular terminal; and the TUAK MAC-A that the cellular terminalderives as likely used by the cellular network in the authenticationrequest.
 48. The method of claim 35, wherein the failure reportcomprises a new information element for error reporting.
 49. The methodof claim 35, wherein the cellular terminal is configured to detect anerror in an authentication management field. The authenticationmanagement field is contained by the MAC-A.
 50. The method of claim 49,wherein the failure report indicates any one or more of: the length ofTUAK MAC-A used by the cellular terminal; the length of TUAK MAC-A thecellular terminal presumes network used; the length of TUAK integritykey used by the cellular terminal; the length of TUAK integrity key thecellular terminal presumes network used; the length of TUAK cipher keyused by the cellular terminal; the length of TUAK cipher key thecellular terminal presumes network used; the length of TUAKauthentication value used by the cellular terminal; the length of TUAKauthentication value; the cellular terminal presumes network used; thelength of TUAK shared secret key used by the cellular terminal; and thelength of TUAK shared secret key the cellular terminal presumes networkused.
 51. The method of claim 35, wherein the cellular terminal isconfigured to detect an error in a re-synchronization token.
 52. Themethod of claim 51, wherein the failure report contains an indication ofthe re-synchronization token as computed by the cellular terminal.
 53. Amethod in a cellular network, comprising: receiving a request thatrequires authentication procedure triggering and responsivelytransmitting an authentication request message with an indication of aselected cryptographic algorithm from a group of a plurality ofcryptographic algorithms; receiving an authentication response messageor a failure report indicative of a failure of the cellular terminal toproduce an authentication response message corresponding to theauthentication request message; and adjusting cellular authenticationprocess with the cellular terminal in response to receiving the failurereport.
 54. An apparatus comprising at least one memory and processorthat are collectively configured to cause the apparatus to perform:transmitting a request that requires authentication procedure triggeringto a cellular network and responsively receiving from the cellularnetwork an authentication request message with an indication of aselected cryptographic algorithm from a group of a plurality ofcryptographic algorithms; attempting to decode the authenticationrequest message to a decoded authentication request according to theselected cryptographic algorithm and based on a shared secret known bythe cellular terminal and a network operator of the cellular terminal;producing a determination whether the attempt was successful and thecellular terminal supports the selected cryptographic algorithm inauthenticating to the cellular network; and in case the determination ispositive, based on the decoded authentication request, the shared secretand the selected cryptographic algorithm, producing and encrypting anauthentication response message and transmitting the authenticationresponse message to the cellular network; and in case the determinationis not positive, producing and sending to the cellular network a failurereport.